Bug 1217682 (CVE-2023-49082)

Affected packages:
 - SUSE:ALP:Source:Standard:1.0/python-aiohttp
 - SUSE:SLE-15-SP4:Update/python-aiohttp
 - SUSE:SLE-15-SP1:Update/python-aiohttp

Already fixed:
 - openSUSE:Factory/python-aiohttp

Upstream patch [0].


[0] https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc

Our CVE monitor ran and found none of our active or inactive images are affected by this CVE.

(In reply to Gianluca Gabrielli from comment #1)
> Affected packages:
>  - SUSE:ALP:Source:Standard:1.0/python-aiohttp
>  - SUSE:SLE-15-SP4:Update/python-aiohttp
>  - SUSE:SLE-15-SP1:Update/python-aiohttp
> 
> Already fixed:
>  - openSUSE:Factory/python-aiohttp
> 
> Upstream patch [0].
> 
> 
> [0]
> https://github.com/aio-libs/aiohttp/commit/
> 493f06797654c383242f0e8007f6e06b818a1fbc

Backporting the fix to aiohttp 3.8.5 as found in SLE-15-SP4 is trivial, backporting it to 3.6.0 as found in SLE-15-SP1 is difficult on the other side.

We can either skip SLE-15-SP1 as it's going to EOL soon or upgrade python-aiohttp in SLE-15-SP1 to the same version as found in SLE-15-SP4.

Well, what is in the SP1 project covers SP2 and SP3, and both have some life left in them.

(In reply to Robert Schweikert from comment #6)
> Well, what is in the SP1 project covers SP2 and SP3, and both have some life
> left in them.

OK, I'll fix SP4 then and try to sync SP1 with SP4 afterwards.

I have backported the fix for CVE-2023-49082 to the 3.8.x branch now, but the backport required an update of aiohttp from 3.8.5 to 3.8.6 [1].

A backport to 3.8.5 required some more extensive changes to the fix for CVE-2023-49082 which I wanted to avoid due to the security nature of the update.

Would such an update be still acceptable?

> [1] https://build.suse.de/package/show/home:glaubitz:staging3:SUSE-SLE-15-SP4:Update/python-aiohttp.SUSE_SLE-15-SP4_Update

I'm currently trying to verify the fix and there seems to be something wrong with the parsing of the HTTP version from the header.

(In reply to John Paul Adrian Glaubitz from comment #10)
> I'm currently trying to verify the fix and there seems to be something wrong
> with the parsing of the HTTP version from the header.

OK, the issue I have observed shows with python-aiohttp 3.9.1 as well, so it's not related to my submission for SLE-15-SP4.

I have tried to backport the fix [1] to python-aiohttp 3.6.0, but I was not able to make the associated test pass [2], unfortunately.

I'd appreciate if someone could have another look at my suggested patch.

> [1] https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc
> [2] https://build.suse.de/project/show/home:glaubitz:staging61:SUSE-SLE-15-SP1:Update

SUSE-SU-2024:0168-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1217682
CVE References: CVE-2023-49082
Sources used:
openSUSE Leap 15.4 (src): python-aiohttp-3.8.6-150400.10.11.1
openSUSE Leap 15.5 (src): python-aiohttp-3.8.6-150400.10.11.1
Python 3 Module 15-SP5 (src): python-aiohttp-3.8.6-150400.10.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

In [0] I backported the code of the fix for CVE-2023-49082 to the package for 15-SP1.

The problem was that in the package, there's a http parser written in python and the backport for the fix was simple, but there's a C http parser also in the package and porting that was not that straight forward.

I did the backport and included some tests to validate that no `newline` or not `regular` characters are allowed in the request line.

This backport should be reviewed by someone from the security team, just in case  it does not fix completely the CVE (or includes some new issue).




[0] https://build.suse.de/package/show/home:amunoz:branches:SUSE:SLE-15-SP1:Update/python-aiohttp

Done, closing.